CVE-2025-7717 – This CVE describes a missing authorization vuln... (How to Fix)

Q: What is the severity of CVE-2025-7717?

CVE-2025-7717 has a CVSS score of 7.5 (HIGH). This CVE describes a missing authorization vulnerability in Drupal's File Download module that allows forceful browsing (unauthorized file access). Attackers can bypass access controls to download files they shouldn't have permission to access. This affects Drupal sites using vulnerable versions of the File Download module.

📋 TL;DR

This CVE describes a missing authorization vulnerability in Drupal's File Download module that allows forceful browsing (unauthorized file access). Attackers can bypass access controls to download files they shouldn't have permission to access. This affects Drupal sites using vulnerable versions of the File Download module.

💻 Affected Systems

Products:

Drupal File Download module

Versions: 0.0.0 to 1.8.x, 2.0.0 to 2.0.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Drupal sites with the File Download module installed and enabled.

📦 What is this software?

File Download by File Download Project

View all CVEs affecting File Download →

File Download by File Download Project

View all CVEs affecting File Download →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could download sensitive files containing credentials, personal data, configuration secrets, or proprietary information, leading to data breaches and compliance violations.

🟠

Likely Case

Unauthorized users accessing files they shouldn't have permission to view, potentially exposing sensitive content or configuration data.

🟢

If Mitigated

Limited impact if proper file permissions and access controls are implemented at the operating system and application levels.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires knowledge of file paths but is technically simple once identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.0 or 2.0.1

Vendor Advisory: https://www.drupal.org/sa-contrib-2025-089

Restart Required: No

Instructions:

1. Update the File Download module to version 1.9.0 (for 1.x branch) or 2.0.1 (for 2.x branch). 2. Use Drupal's update manager or Composer: 'composer update drupal/file_download'. 3. Clear Drupal caches after update.

🔧 Temporary Workarounds

Disable File Download module

all

Temporarily disable the vulnerable module until patching is possible

drush pm:disable file_download

Implement access control at web server level

all

Use .htaccess or nginx location blocks to restrict access to file download paths

🧯 If You Can't Patch

Implement strict file permissions at OS level for sensitive directories
Use Drupal's built-in access control mechanisms to restrict file access

🔍 How to Verify

Check if Vulnerable:

Check File Download module version in Drupal admin at /admin/modules or via 'drush pm:list | grep file_download'

Check Version:

drush pm:list --fields=name,version --filter="name=file_download"

Verify Fix Applied:

Confirm module version is 1.9.0 or higher (1.x) or 2.0.1 or higher (2.x)

📡 Detection & Monitoring

Log Indicators:

Unusual file download patterns from unauthorized users
Access to file download endpoints without proper authentication

Network Indicators:

Requests to /system/files/* or file download endpoints without proper referrer or session tokens

SIEM Query:

source="drupal_access" AND (uri="/system/files/*" OR uri="/file/download/*") AND user="anonymous"

📊 Metadata

CVE ID: CVE-2025-7717

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-862

EPSS Score: 0.05% exploit probability (15.7th percentile)

Published: July 21, 2025

Last Updated: August 26, 2025

🔗 References

https://www.drupal.org/sa-contrib-2025-089 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-7717, you might also want to check these: